1. Introduction
The Joint Personal Data Controllers1 led by the European Commission (hereafter ‘the Commission’) are committed to protect your personal data and to respect your privacy. The Joint Controllers collect and processes personal data pursuant to Regulation (EU) 2018/17252.
The scope of this privacy statement covers personal data collected for the purpose of managing EU programmes, procurement and activities via the EU Funding & Tenders Portal (hereinafter “the Portal”) and the related processing operations undertaken by the Joint Controllers for the purpose of grants and prizes award and management in both – direct and indirect – management.
The figure below gives an overview of the flow of personal data through the various business processes served by the Portal:
2. Why and how do we process your personal data?
1 The Joint Personal Data Controllers (hereinafter “the Joint Controllers”) are all European Union institutions, bodies, offices and agencies (hereinafter commonly referred to as “the EUIBAs”) who are parties to the Joint Controllership Arrangement of the Portal (hereinafter “the JCA”) and who process the personal data collected by the Portal business processes. The full list of Joint Controllers is available here.
2 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (OJ L 295, 21.11.2018, p. 39) (hereinafter “Regulation (EU) 2018/1725” or “the Regulation”).
PRIVACY STATEMENT FOR GRANT AND PRIZES AWARD AND MANAGEMENT
2
Purpose of the processing operation:
The Joint Controllers collect and use your personal information to execute the Portal business processes for (potential) participants, experts and national points of contacts in the funding programmes, activities and in procurements managed by the European Union institutions and bodies.
This privacy statement covers the processing of personal data across all electronic and paper-based transactions linked to the Portal. It focusses on the business-processes and therefore abstracts from the underlying IT architecture.
The Portal business processes are:
i. the core activities of the Portal, that are:
− external expert registration, selection and management
− grants and prizes award and management
− procurement award and management
− participant registration, assessment and validation management and
− domain specific facts registration, assessment and validation management.
ii. other services that are linked to the core activities of the Portal and that are also necessary for the performance of a task carried out in the public interest, such as:
− partner search functionality management as a service to Participants to facilitate the finding of partners and to provide a personal user profile for any registered user of the Portal
− management and publication of the identity and contact details of the national contact points and programme committee members.
For all these business processes, the privacy statement covers the entire life cycle of linked personal data processing operations including (but not limited to) registration, accreditation, application, selection, evaluation, validation, entry into and monitoring of relevant type of legal commitment and all linked financial transactions. The privacy statement also covers all internal and external checks, audits, investigations and other proceedings, that users of public funds of European Union are subject to, to assess the legality and regularity of the transactions underlying the implementation of the European Union budget. The audit and control activities can be conducted at any time during the performance of the programme / contract / project, as well as thereafter, and can concern any aspect, depending on the needs of the Joint Controller. The privacy statement covers both external and internal data subjects.
The Joint Controllers may use limited personal data obtained through the Portal for the purposes of monitoring, evaluating, and improving their programmes and initiatives (including for monitoring how they are generating scientific impact by strengthening human capital in R&I); to account for these in front of the legislative authorities (the European Parliament and the European Council); to comply with their public reporting obligations; and as a source of information for policy-making.
Your personal data will NOT be used for an automated decision-making including profiling.
3
Related processing operations:
The following further processing operations working with personal data collected through the Portal are listed below with their separate data protection records and privacy statements:
i. European Commiss’on’s Identity Access Management Service (IAMS), including EU-login, enabling registration & access to the Portal to internal and external users (data subjects). (link to record: https://ec.europa.eu/dpo-register/detail/DPR-EC-03187)
ii. Accounting system: registration of legal entity and bank account records in the central European Commission accounting system for enabling financial transaction vis-a-vis third parties (including Experts and Participants), (link to record https://ec.europa.eu/dpo-register/detail/DPR-EC-00301)
iii. Management and (short- and medium-term) preservation of documents (link to record: https://ec.europa.eu/dpo-register/detail/DPR-EC-00536)
iv. Long-term preservation of the archives: notwithstanding the above retention periods: in the rare occurrence that a file is selected or sampled at the end of retention period, some data may be retained in the European Commission’s Historical Archives as required by the Archives Regulation (Council Regulation No. 354/83). (link to record: https://ec.europa.eu/dpo-register/detail/DPR-EC-00837)
v. Early Detection and Exclusion System (EDES): a database for protection of the EU financial interests by means of detection of risks and imposition of administrative sanctions (link to record: https://ec.europa.eu/dpo-register/detail/DPR-EC-04410).
vi. The European Research Council has specific further personal data protection processing regarding external experts selection and management and grant award and management. These further processing operations are detailed in https://erc.europa.eu/records-register.
3. On what legal ground(s) do we process your personal data for grants and prizes award and management
We process your personal data, because:
a. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the European Union institution or body (Article 5(1)(a) of Regulation (EU) 2018/1725) and/or
b. processing is necessary for compliance with a legal obligation to which the Joint Controller is subject (Article 5(1)(b) of Regulation (EU) 2018/1725) and/or
c. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 5(1)(c) of Regulation (EU) 2018/1725).
The specific legal bases applying to the processing referred above under (a) and (b) are:
4
− Regulation (EU, Euratom) 2018/10463 “”and in particular: Title V (Common Rules), Title VII (Procurement and Concessions), Title VIII (Grants), Title IX (Prizes), Title XII (Other Budget Implementation Instruments, including management of experts and participant registration and validation) and Annex I (Procurement)
− The financing decisions form part of the legal basis for a processing operation, where applicable, in line with Article 110 of the Financial Regulation
− Union law setting up specific funding programmes and initiatives is providing further legal basis for personal data processing, but making reference to the Financial Regulation for actual implementation mechanisms.
− Union law establishing the EUIBAs as Joint Controllers.
4. Which personal data do we collect and further process?
The Joint Controllers collect and process the personal data that the data subject (including the involved researchers) or his/her representative has submitted via the Portal by filling in data fields of IT-systems / applications or by providing supporting documentation (e.g. in format of PDF documents, scans) when using the relevant business process functionality of the Portal.
Data categories and fields:
The personal data that is processed for grants (and prizes award and management by the Portal is the following:
[I] Identification data:
(1) first name, middle name & last name (including maiden name)
(2) gender
(3) title
(4) nationality
(4) Participant Identification Code (PIC) (when Participant is a natural person)
(5) Other person identifiers linked to other sources (like ORCID ID or Researcher ID)
(6) ID document number (passport or other)
[II] Contact data:
(1) e-mail
(2) contact (phone) numbers – including all types, such as: personal, business, GSM, landline, fax, voice over IP, etc.)
(3) personal address(es) submitted (such as origin, permanent, current, previous residences)
3 Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union (hereinafter “the Financial Regulation”) (OJ L 193, 30.7.2018, p. 1).
5
[III] Employment and career related data:
(1) current employment status (such as employer’s name & address, department, function/position, staff category)
(2) career stage
[IV] Financial data of natural persons:
(1) bank account related data (such as account number, name and address of the holder, name and address of the bank, available funds)
[V] Data necessary for management of procedural / evaluation / performance related aspects
(1) eligibility criteria related personal data and programme related accreditation data
(2) exclusion criteria related personal data (including declaration on honour and extracts from judicial records for natural persons)
(3) selection criteria related personal data
(4) award criteria related personal data
(5) performance related personal data linked to legal commitment with the EUIBA (such as quality of performance of Participant (if a natural person) or Participant’s staff during the execution of relevant legal commitment with the EUIBA, information linked to participation to meetings)
(6) any other procedural (application, evaluation process related, project reporting and monitoring, etc.) data that is of personal nature and linked to points listed above (including role in the project)
(7) data related to disadvantaged status or vulnerable status (e.g. social and economic situation (poor family and background, from disadvantaged area, status of refugee, or displaced person)
[VI] Authentication and access data:
(1) EU Login credentials
(2) IP address
(3) security data/log in files
[VII] Health related data:
(1) information related to health conditions in relation to claims e.g. for special costs or triggering a change for a contractual condition (suspension, amendment, parental leave, etc.). Further, in some cases, as described in section VI.1 linked to eligibility criteria
[VIII] Other incidental and unsolicited data:
(1) Third party personal data: the supporting documents submitted by the Participant may contain personal data of third persons (such as other experts mentioned in proposals, board members, etc.) not necessary for purposes of processing in business areas of the Portal
6
(2) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and sexual orientati–n – if these data appear in the documents (CVs, ID documents, other documents) provided without EUIBA request by the data subjects
(3) (references to) personal data freely available on social networks and the Internet.
The data categories listed above are exhaustive, but the listed data fields are non-exhaustive.
5. How long do we keep your personal data?
The Joint Controllers only keep your personal data for the time necessary to fulfil the purpose of collection or processing, namely for the following periods: Data category Retention period Start date/moment End date/moment
Grant Management
For personal data in granted proposals, grant agreements and deliverable reports and related transactions
End of the year (31/12/YYYY) following the closure of the grant action or agreement or last financial / accounting operation of the grant agreement of the Participant -whichever is later (N)
N+10 years
For personal data in proposals not leading to a grant
End of the year of the call deadline (N)
N+5 years
Scientific staff data:
limited categories of personal data of scientific staff of applicants / beneficiaries (i.e.: identification (title, name, surname or Researcher ID and contact details (e-mail) for scientific research and/or statistical purposes.
These limited categories of personal data are retained pursuant to Article 4(1)(e) of Regulation (EU) 2018/1725, and subject to the implementation of appropriate safeguards in accordance with Article 13, unless the applicant / beneficiary exercises the right to object under Article 23 of Regulation (EU) 2018/1725.
End of the year (31/12/YYYY) following the closure of the grant action or agreement or last financial / accounting operation of the grant agreement of the Participant -whichever is later (N)
OR
End of the year of the call deadline (N)
Whichever is later
N+25 years
6. How do we protect and safeguard your personal data?
All personal data in paper format is stored in the premises of European Union institutions, bodies, offices and agencies, access to which is controlled by access policies
7
based on Commission Decision (EU, Euratom) 2015/443 on Security in the Commission (link to European Union law database: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D0443). The paper files are stored in in locked/secure cupboards and/or storage offices. Access is limited and is on a need-to-know basis.
All supporting front and back-office IT systems (and thus all personal data in electronic format: e-mails, documents, databases, uploaded batches of data, etc.) for any of the Portal business areas are stored within the Portal IT-ecosystem that in turn is located in European Commission’s data centre. Its servers are located on the territory of the European Union. All European Commission IT systems (i.e. all communication and information systems) which are owned, procured, managed or operated by or on behalf of the European Commission or are used by the European Commission are compliant with the Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission (link to European Union law database: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32017D0046).
In order to protect your personal data, the European Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
7. Who has access to your personal data and to whom is it disclosed?
Within the European Union organisation (the Joint Controllers / the EUIBA) a recipient may be:
i. any legal person that is an EUIBA who works with the Portal processing operations covered by this privacy statement or is entitled by law and
ii. any legal or natural person who is in a contractual relationship with an EUIBA who works with the Portal processing operations covered by this privacy statement.
Such as: staff of European Union institutions and bodies, external experts and staff of contractors.
Outside the European Union organisation a recipient may be:
i. any legal or natural person to whom EUIBA is under regulatory duty or who needs it in the public interest and the recipient needs it for legitimate performance of tasks within its competence.
Such as: authorised persons representing EU Member States / EEA countries (and for associated countries if relevant for the programme) in various programming / legislative bodies (like programme committees, advisory groups, national authorities / agencies / contact points, etc.) and authorised persons representing industry in case of EU joint undertakings’ operations, etc.
ii. any legal or natural person who has a contractual relationship with an EUIBA and who is working on behalf of and under the responsibility of the Controllers for the purposes of performing the tasks of the relevant contract or has a need-to-know stemming from the contract.
8
Such as: staff of contractors acting as processors for a specific processing operation (auditor, event organiser) external auditors / contractors carrying out financial verifications, etc.
Further specific disclosure:
i. Specifically for expert management: access may be given, on request, to certain research institutions (funding organisations), who participate in the European Research Area; and in case of experts for project monitoring: the coordination/beneficiary in grant agreement; certain personal data of experts is published online according to EC horizontal rules on expert groups: (available:https://ec.europa.eu/transparency/regexpert/PDF/C_2016_3301_F1_COMMISSION_DECISION_EN.pdf).
ii. Further specifically for the expert management, their role in panel (chair or member, etc.) may be published online if required by legal basis.
iii. Specifically for procurement and grant management: partner organisations chosen by participant and included in participant’s grant or tender proposal.
iv. Specifically for national points of contacts: the names of the nominated NCPs are published in the NCP database, which is accessible online.
v. Specifically for Partner Search: the recipient is general public (online), if and when the participant has freely chosen to set its person profile to public mode.
vi. Specifically for certain programme / initiative related publication online, such as: film directors’ names for “MEDIA”, contract details of professors for “Jean Monnet”, ERC principal investigators, etc. These are either participation conditions of the programme or based on data subject’s consent – the recipient is general public (online).
vii. Finally, in accordance with the Financial Regulation (particularly Article 38 et al), certain information on recipients of EU funds are published annually on the Europa webpage (Financial Transparency System: https://ec.europa.eu/budget/fts/index_en.htm; the Official Journal of the European Union and/or on the applicable website of the EUIBA).
viii. Pursuant to Article 3(13) of Regulation (EU) 2018/1725, public authorities which may receive personal data in the framework of a particular inquiry in accordance with European Union or Member State law shall not be regarded as recipients. The further processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
IMPORTANT: Disclosure to recipients is exercised in compliance with the principles of “necessity” and “data minimisation”. The natural persons further abide by the statutory obligations, and when required, additional confidentiality agreements.
International data transfers:
The Operational Controllers may transfer your personal data to recipients in a third country or to an international organisation in accordance with Regulation (EU) 2018/1725.
Detailed information on the categories of recipients and the legal ground for the transfers in the context of grant management is available here.
9
8. What are your rights and how can you exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability. Further, if you have questions regarding adequacy decisions and appropriate safeguards (or want to obtain a copy) in case of international data transfers, this can be provided upon request to the relevant Joint Controller.
You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) of Regulation (EU) 2018/1725 on grounds relating to your particular situation.
If the relevant Portal processing operation (e.g. Partner Search) has required your consent (pursuant to Article 5(1)(d) of the Regulation) or in case you provide your explicit consent pursuant to Article 50.1 (a) for international transfer, then you can withdraw your consent at any time by notifying the Joint Controller(s). The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.
You can exercise your rights by contacting the relevant Joint Controller, or in case of conflict the relevant Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description in your request.
The data subjects’ rights (e.g. to information, access, rectification, erasure, restriction or objection to processing, communication of a personal data breach, or confidentiality of electronic communications) may be restricted under certain specific conditions by the joint controllers which have adopted a Restriction Decision in accordance with Article 25 of Regulation (EU) 2018/1725. In particular, for external experts registration, selection and management; grants and prizes award and management; procurement award and management; participants registration, assessment and validation management; domain specific facts registration, assessment and validation management; partner search and national contact points and programme committee members data management – the right to rectification is in principle limited to factual information. This is due to the fact that certain rectifications may lead to an alteration of the terms and conditions of the call for expression of interest / tender / call and lead to further consequences according to applicable legislation (e.g. any correction may lead to exclusion as stated in the Financial Regulation).
Nevertheless, you should be informed that by virtue of Article 25 of Regulation No 2018/1725 and of the Internal Rules laid down under Commission Decision (EU) 2018/19624 and Commission Decision (EU) 2020/9695, one or several of these rights may be restricted for a temporary period of time inter alia on the grounds of prevention, investigation,
4 Commission Decision (EU) 2018/1962 of 11 December 2018 laying down internal rules concerning the processing of personal data by the European Anti-Fraud Office (OLAF) in relation to the provision of information to data subjects and the restriction of certain of their rights in accordance with Article 25 of Regulation (EU) 2018/1725 of the European Parliament and of the Council.
5 Commission Decision (EU) 2020/969 of 3 July 2020 laying down implementing rules concerning the Data Protection Officer, restrictions of data subjects’ rights and the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council, and repealing Commission Decision 2008/597/EC.
10
detection and prosecution of criminal offences or on the grounds of monitoring, investigative, auditing or consultative activity of the Data Protection Officer of the European Commission. Any such restriction will be limited in time, proportionate and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable. You will receive more detailed information when this period has passed.
As a general rule, you will be informed on the principal reasons for a restriction unless this information would cancel the effect of the restriction as such.
You have the right to make a complaint to the European Data Protection Supervisor concerning the scope of the restriction.
9. Contact information
The (Joint) Controller
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please contact the relevant (Joint) Controller, which is responsible for a specific EU programme, procurement or activity (see list of joint controllers).
The Data Protection Officer (DPO) of the (Joint) Controller
You may contact the relevant Data Protection Officer (DPO) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725. Contact data of the Data Protection Officer of the (Joint) Controller, which is responsible for a specific EU programme, procurement or activity (see list of joint controllers).
The European Data Protection Supervisor (EDPS)
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
10. Where to find more detailed information?
The Joint Controllers publish the records relevant for the processing operations carried out under the Funding and Tenders Portal in the registers of all processing operations on personal data by the European institutions and bodies. You may access their registers via the following link: http://ec.europa.eu/dpo-register. The record is considered applicable for all Joint Controllers of the Portal.
This specific processing operation has been included in the DPO’s public register with the following record reference: DPR-EC-01024.